OK clear, many thanks!

Winny

Op 25-01-16 om 09:45 schreef Christian Heimes:
On 2016-01-25 08:17, Winfried de Heiden wrote:
Great,

Changing

/etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false

to

# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = true

along with adding the windows realm to krb5.conf on the clients did the
trick; I am able to obtain aan AD TGT ticket by using the KDC proxy

Is there a special reason why "use_dns = false" was used in kdcproxy.conf?
The current implementation of the DNS configuration feature is slow and
reduce performance of KDC proxy requests. Every request has to fetch
multiple SRV records and then resolve each entry in each record again.
There is neither caching nor async DNS support, too.

A co-worker has written a RFC to address the problem. The RFC hasn't
been approved yet.
https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-00

Do you need dynamic configuration or can you get by with static
configuration in krb5.conf?

Christian


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to